A Start-up Checklist for Your Pharmacy's HIPAA Compliance

1) Determine whether your pharmacy is covered by the new regulation (i.e., do you transmit patient identifiable information electronically). If in doubt, refer to the regulation.

2) Within your operation, determine who currently has access to protected medical information [sales/front-end clerks, pharmacy department staff (pharmacists, technicians, etc.), delivery staff, billing staff, others, etc.].

3) Consider how you can maintain medical records so that each employee has access to and use of only the minimum necessary information for his/her job function. For example, what medical information is needed by the front-end sales staff, by the billing staff, etc.? Think about what policies and procedures you will develop for your pharmacy to implement HIPAA's "minimum necessary" requirement.

4) Evaluate the physical plant and operations of your facility:

a) Are computer screens with protected information visible to casual onlookers?

b) Where do you keep the pick-up register when not needed during open hours?

c) How does your pharmacy handle trash and copies of excess records? Who handles it?

d) What protections do you currently take for original patient records that must leave the pharmacy, e.g., under subpoena?

5) Keep track of all the entities to which you transfer patient medical information, such as physician offices, nursing homes, hospitals, third-party networks and/or PBM's, billing submission/claims processing agents, accountants, and independent contractors; determine the manner in which you transfer it (e-mail, fax, US Mail, private mail service, telephone/cable modem, messenger delivery services, etc.); and, evaluate the security of those transmissions. Are they susceptible to loss, or misdelivery?

6) Determine who your pharmacy's "business associates" are, and those to whom you are a business associate, concerning which you will seek contract revisions that will assure compliance with HIPAA privacy and security requirements. [Business associates under the HIPAA rule are entities who assist with activities that involve protected health information, and may include claims processors, utilization reviewers, quality assurance reviewers, billing agents, lawyers, and accountants.]

7) Review current Louisiana laws regarding medical privacy, which laws are operable until/unless supplanted by the federal privacy requirement.

8) Determine the relationship between the new HIPAA privacy and security regulation, the existing state licensure regulations, and federal and state Medicare or Medicaid regulations. Familiarize yourself with current licensure, conditions of participation, OIG compliance guidance requirements that relate to privacy and security of patient records. Inspectors and auditors are likely to begin to focus attention on these requirements.